[SANS ISC] Xmount for Disk Images, (Thu, Nov 4th)

Recently I’ve been doing a lot of imaging and mounting different image format types. Xmount(1) has been very handy and not something I’ve used a lot in the past.  Xmount can do DD, EWF (Expert Witness Compression Format), or AFF. While mount disks haven’t changed a lot, having a combined utility that can do the significant files types makes it more accessible.

Xmount can output in several different file types: “raw”, “dmg”, “vdi”, “vhd”, “vmdk”, “vmdks”.  Many Linux-based tools need to have a raw or dd style image to read; xmount can easily do this.  Mounting an OSX DD image as a DMG is an easy way to open up Filevault volumes. Just double-click the DMG file, input the password, and it’s mounted.

Depending on what you need to do with the image, booting it might be the fastest way to complete this.  Make sure that you are using a write-blocker or backup copy to prevent changes to the system.

#apt-get install xmount
#xmount –in ewf <FILE> –out vmdk –cache /tmp/disk.cache <Mount Point Folder>
#xmount –in ewf ./file.E01 –out vmdk –cache /tmp/disk.cache /tmp/ewf/

Now you should have a VMDK file in /tmp/ewf.  You can now add this file as a disk to an existing Vmware Machine or create a new virtual machine and boot off it.

Any other new forensics tools you have run across recently that makes life easier for forensicators? Leave a comment.

1 https://www.pinguin.lu/xmount

Tom Webb


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] US charges Greek national for selling insider trading subscriptions in the Dark Web

All posts, ZDNet

“TheBull” offered customers insider information, tips, and pre-release earnings. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Black Friday shopping? FBI says beware of these holiday scams and phishing threats

All posts, ZDNet

The FBI expects a rise in complaints and losses to scams as shoppers hunt out bargains. Source: Read More (Latest topics for ZDNet in Security)

Read More

Daily NCSC-FI news followup 2020-07-24

Garmin outage caused by confirmed WastedLocker ransomware attack www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/ Wearable device maker Garmin shut down some of its connected services and call centers on Thursday following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack. Lisäksi www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/ ja www.forbes.com/sites/leemathews/2020/07/23/garmins-alleged-ransomware-wastedlocker-evil-corp/ ja thehackernews.com/2020/07/garmin-ransomware-attack.html ja threatpost.com/garmin-suffers-ransomware-attack/157698/ Poliisi varoittaa Microsoft huijaussoitoista […]

Read More